Build Gateway VPN with Player Windows and/or Raspberry Pi 4.

by

Richard Applegate
in , ,

So I create our network to secure our ISP, We have Guest network that for café, and we also have contact plans with Comcast Business. I’m not interested in getting a strike from Comcast Business for BitTorrent with their own DNS on the customer’s PC… Now I found solution avoid suspend our internet, DNS Server and VPN Account dedicated IP and firewall are the solution.

Our Coffee shop network diagram

Modem ⇾ Gateway VPN (Raspberry Pi or Player Windows Mini PC) ⇾ Router/firewall (ER7206) ⇾ Access Point (EAP610)

Instructions how to set up?

1st step is Installing Ubuntu OS on Mini PC

after installing Ubuntu OS on our machine, Please do update and upgrade in terminal on this machine

sudo apt update && sudo apt upgrade -yy

then

set this machine static IP with your ISP So you can remote your Device and don’t worry this will not allow worldwide to enter ssh or RDP remote desktop because you will use mesh feature with NordVPN to allow specific computer or phone to remote our server.

Go to settings ⇾ Network ⇾ wired ⇾setting logo ⇾ Ipv4 set your IP on there and DNS then ⇾ IPV6 disable then I have second Ethernet I want to set it “shared to other computers” on ipv4 and disable ipv6 then apply. Now your LAN is ready to assign IP to your router. Then we need to fully disable ipv6 with sysctl.conf

disable ipv6 in sysctl.conf 

sudo nano /etc/sysctl.conf

then add these line on bottom of systctl.conf page

net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1

then now I need to make my mini player can boot without HDMI, It was work without these command but after 6 hours our server was down because of this not found signal HDMI cause suspend our device. This will help solution avoid suspending. And please make sure Bluetooth is disabled as well because we do have a bug from the kernel with Bluetooth. After disabling it, I can now boot without HDMI or Bluetooth.

Open Grub file with nano 

sudo nano /etc/default/grub

That will open that file in the nano editor, with elevated permissions. Go to the line that says.

GRUB_CMDLINE_LINUX_DEFAULT=""


Change it to
Code:

GRUB_CMDLINE_LINUX_DEFAULT="nomodeset"


Press … Confirm the filename, To save the changes. Press to exit back to the command line.

Then do
Code:

sudo update-grub


Now I am installing NordVPN following this directions

https://support.nordvpn.com/hc/en-us/articles/20196094470929-Installing-NordVPN-on-Linux-distributions

first install curl 

sudo apt install curl -y

then run this script for you 

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

then after install make sure you do usermod to add your username with group NordVPN 

sudo usermod -aG nordvpn richard

after you did usermod please sudo reboot your machine to allow us to run NordVPN without sudo. 

sudo reboot now

After logging in as your Ubuntu user, open a terminal and enter the command that will log you in to NordVPN. Please note that this should be done on screen, not via SSH. If using SSH, please do so with a token.

nordvpn login
or 
nordvpn login --token *putyourtokenhere*

Then, I want to use NordLynx, not OpenVPN, so I use the following command:

nordvpn set technology nordlynx

Next, I want to use Mesh, so I allow to remotely access my device with its static IP.

nordvpn set mesh on

Then I want to set whitelist my status server and my 22 port to allow me remote and allow my status server to ping my server.

nordvpn whitelist add port 22 
nordvpn whitelist add subnet *yourstatusserverstaticIP*/29

Then I want to set autoconnect on my dedicated IP (suppose look like us12345)

nordvpn set autoconnect on us_____

Then I want to set LAN Discovery on 

nordvpn set lan-discovery on

Now we need to create iptables firewall to allow our both Ethernet to communicate internet with VPN enable. You need to open another terminal to command “ipaddr” so you can know network name like eth0 or eth1 or enp2s0 or enx0000000000, so important to know so your command line iptables will work.

sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE
sudo iptables -A FORWARD -i nordlynx -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o nordlynx -j ACCEPT
sudo iptables -A FORWARD -i nordlynx -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o nordlynx -j ACCEPT

Optional step by step, Go to your router

Internet ⇾ WAN ⇾ change DHCP to Static IP to 10.42.0.100 because my router does change mac address random so it affects no internet at all after router reboot. So setting my router static IP, and now I can reboot and over and over no problem and no leak IP.

Video quick demo of this page.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.